Sn!pEr.S!Te reported some vulnerabilities in Esvon Classifieds 4.0 --
covered by Exploit DB 14817 / Bugtraq 42819 -- that look bogus to me.
The first is a command execution issue involving the 'sql' parameter
in 'inc/pdo.inc.php'. Looking at the copy of the file attached to the
Exploit DB advisory, the file in question comes into play only if the
funciton 'mysql_connect' does not exist and the 'PDO' class does, and
it consists of a series of function definitions that extend the PDO
class, but none that an attacker can reach by calling the file
directly. I'm also not sure exactly which code Sn!pEr.S!Te sees as a
problem; perhaps:
class esPDO extends PDO {
var $_aff_rows = 0;
function exec($sql){
return $this->_aff_rows = parent::exec($sql);
Grep & gripe perhaps?
The other issue is a local file inclusion issue in 'inc/
class.phpmailer.php'. The trouble is, that file simply defines a class
-- an attacker can't reach any of the functions in it by calling the
file directly. And even if you could, the only instances where
'lang_type' come into play is this:
function SetLanguage($lang_type, $lang_path = 'language/') {
/*if(file_exists($lang_path.'phpmailer.lang-'.$lang_type.'.php')) {
include($lang_path.'phpmailer.lang-'.$lang_type.'.php');
} elseif (file_exists($lang_path.'phpmailer.lang-en.php')) {
include($lang_path.'phpmailer.lang-en.php');
} else {*/
Note the multiline comment means there's no issue even if you could
somehow call that function.
George
--
theall at tenablesecurity.com